Configuration errors go unnoticed for 4 years

FlightAware Attack

FlightAware Attack

FlightAware is a major flight tracking platform. provides real-time as well as historical flight tracking data. FlightAware is considered the world's largest flight-tracking platform.

Recently, they submitted a breach notification on July 25, 2024, claiming that a configuration error has caused the leakage of the data since Jan 1, 2021. Data supposedly which got leaked includes:

• Full name

• Billing address

• Shipping address

• IP address

• Social media account

• Telephone number

• Year of birth

• Last four digits of credit card number

• Information about aircraft owned

• Pilot status

• Industry and title

• Account activity (including flights viewed and comments posted)

• Social Security number (SSN)

Lessons from this incident

Implementing straightforward security configurations can offer significant protection and mitigate vulnerabilities. Ensuring robust configuration in all runtime software is crucial and one of the easiest targets for exploitation.

1. Ensure that default security settings are thoroughly defined across all software before deployment.

2. At the point of deployment, do not reduce any security measures for any software. If security settings result in test failures, focus on resolving the functionality instead of deactivating those settings.

3. Maintain constant monitoring. Always assume a breach is possible and have effective monitoring and alert systems in place so that any malicious activity is detected promptly.

4. Utilize static code analyzers capable of identifying all software configurations and spotting insecure values. Incorporate these tools diligently into your build and release pipelines.

5. Employ dynamic scanning to identify insecure configurations at runtime. Ensure these tools are active in your environment.

6. Merely running these tools isn't enough; they are steps towards a goal, not the final solution. Establish processes to review and address alerts generated by these tools, distinguishing between false positives and actual issues. Address real issues within well-defined service level agreements (SLAs).

7. Conduct periodic audits and maintain a checklist of critical items to verify their integrity at runtime. This is an ideal opportunity to review and update all configurations, firewall settings, access control lists (ACLs), etc., for the software.

8. Don’t collect data that you don’t really need. The more data you have, the more exposure will be there in case of any breach.

9. Building separate data classification for different types of data you are dealing with is extremely important. For example, SSN and Credit Card information must be classified as more sensitive compared to email address.

10. Data, which is classified as sensitive, must have additional protection, when stored at rest, when in transit and based on access controls.

11. Network diagrams are extremely important to have, this provides a clear map of what endpoints are needed to be public and what needs to be private. This will also serve as good document to review in periodic audit cycle.

References:

https://www.bleepingcomputer.com/news/security/flightaware-configuration-error-leaked-user-data-for-years/

Submitted Breach Notification Sample | State of California - Department of Justice - Office of the Attorney General